Certification readiness for teams that self-host.
For CISOs, procurement, compliance officers, and security engineers. Honest status up front: TomatoRTC does not currently hold vendor SOC 2 certification — this deck explains what we provide instead.
Shared responsibility
Self-hosted software changes who holds the certificate.
A vendor SOC 2 report from a hosted CPaaS covers their cloud boundary. With TomatoRTC, your deployment is the system — our Compliance package supplies evidence to speed your audit.
- TomatoRTC (software) Platform controls: tenant isolation, WSS/DTLS/SRTP, audit chain, admin API hardening, redaction helpers.
- You (operator) Cloud account, network perimeter, IdP integration, log retention, backup/DR, personnel policies.
- Your auditor System boundary definition, observation window, and Trust Services Criteria opinion.
Certification status
What TomatoRTC holds today — and what you pursue on your infrastructure.
SOC 2 evidence kit
Structured audit evidence — not a vendor certificate.
Ships with the Compliance package license add-on. Maps platform controls to AICPA Trust Services Criteria and tells auditors what to inspect.
Splits TomatoRTC software controls from your cloud, IdP, and operations obligations.
Security, Availability, and Confidentiality criteria tied to features, env vars, and exports.
Production TLS, admin CSRF/origin lockdown, K8s NetworkPolicy, TURN relay ranges.
Starter policies auditors expect — your counsel reviews and adopts.
What to pull: audit chain export, OTel traces, admin logs, redacted support bundles.
Scoped methodology and dedicated test environment coordination.
Evidence inputs
Platform controls auditors commonly reference.
Available today — not a SOC 2 report by themselves. Your operators must configure and retain evidence per the security hardening guide.
tenantId:roomId namespace — cross-tenant join rejected even with a valid token.
WSS, DTLS/SRTP, short-lived tenant-scoped TURN credentials.
RS256/JWKS/OIDC with your IdP; RBAC at handler level; separate admin token scope.
Hash-chained audit log, SIEM export, support bundles strip tokens and secrets.
Your path
Six steps from quote to auditor-ready evidence.
- 1 Add Compliance package
+$35k/yr license add-on on Business or Enterprise quote
- 2 Receive evidence kit
Walk through shared responsibility matrix with your TAM
- 3 Deploy hardened
Apply templates and security-hardening checklist in target environment
- 4 Wire exports
Audit chain and telemetry into your SIEM for the observation window
- 5 Engage auditor
Kit mapping plus your cloud-provider SOC reports
- 6 Optional pen-test
Coordinated test environment — Enterprise + Compliance package
Pen-test coordination
Guided testing against a dedicated environment.
Enterprise license holders with the Compliance package can arrange scoped penetration testing. Findings route through security@tomatortc.com with remediation SLA alignment.
- Scope Dedicated test environment — not production traffic. Methodology aligned to your threat model.
- Deliverable Findings report suitable for pre-audit hardening — supplements, not replaces, your auditor procedures.
- Retest Retest window negotiated per engagement after remediation.
Pricing
Compliance is an add-on — not included in base license tiers.
+$35k/yr — SOC 2 evidence kit, hardened deployment templates, pen-test coordination.
Default TCO scenarios exclude compliance. Add this line item when procurement requires structured audit evidence.
Regions, CCU burst, AI workers, premium support, migration SOW — see pricing deck.
Starter $28k/yr · Business $84k/yr · Enterprise $220k+/yr — compliance stacks on top.
Review controls. Request the kit. Scope your quote.
- 1 Review threat model
Security & compliance deck — covers controls, hardening checklist, and evidence categories.
- 2 Request kit TOC
sales@tomatortc.com — Compliance package sample deliverables
- 3 Scope quote
License tier + Compliance add-on + self-managed or managed path